By steffo on May 28, 2008
My colleague Jörg was listening to the radio when they broadcasted that a weakness in Microsoft's
Cardspace identity metasystem has been found. Here's the link http://demo.nds.rub.de/cardspace/.
From a quick look, the attack is rather an application to dynamic pharming (DNS pinning) and general
browser/user security than an attack on the CardSpace protocol itself. The only thing which is CardSpace related is the fact that a security token can be replayed and that CardSpace doesn't require an undeniable token: whoever possesses the token has access to the service provider. Sun Access Manager has a (weak) approach to undeniable tokens by tying them to an IP address. However, this might lead to problems as in many setups HTTP proxies are used.
The "CardSpace" attack again shows that two or three security issues can easily add up to a bigger problem.